Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.
Furthermore, a peer review process is planned, through which the consortium members will mutually check and certify their operating systems and smartphone or tablet models. “This is intended to create transparency and replace trust with traceability.”
Still doesn’t sound very open.
I should be able to tell my bank to only trust devices running an OS signed by the grapheneos key, and more importantly I should be able to tell them to trust an OS signed by my key.
Edit: I don’t mean to shit on this too hard. It might be the best next step.
It is kinda insane though that we’ve had public/private keys since the internet started walking and somehow we end up with all these over-complicated or pointless ways to use them.
Decentralized systems are more difficult to understand, and also inconvenient.
Also, very hard to monetize.
Therefore, capitalism converts the issue into walled garden approach. Easy for rubes to use, nobody bats an eye.
I don’t get why it has to be that complicated anyway. I should be able to just give them my key, why does a OS or device vendor need to be a part of it? When I get a card I need to verify my identity somehow, times past that was me going to the bank, signing a form and showing my ID card. Fucking Tim Apple or Satya McGoogle didn’t have a role in that, why should they now?
Sidenote; I know Satya Slopella is Microsoft but I don’t frankly care to learn what the pedo in charge of Google is called.
When I get a card I need to verify my identity somehow, times past that was me going to the bank, signing a form and showing my ID card. Fucking Tim Apple or Satya McGoogle didn’t have a role in that, why should they now?
The government did though in supplying said ID, so there was a centralised trustable organisation that the bank could depend on for verification.
Exactly. After that, the bank should accept that I wish to pay with my own device without Google, Apple, or Samsung having a say.
They don’t need GAS approval for me to pay my bills on my computer. Nor to make online purchases on it. Why is it suddenly required on my phone? It’s idiotic.
If I say that my device is okay, that’s all that should be required.
I don’t frankly care to learn what the pedo in charge of Google is called.
Blunder Pinochet. Or is it Sundial Pinoy. Or Thundercat Pyjamas.
Compost. That’s all they’re good for.
I see this topic come up often in conversations about degoogled Android and it makes me wonder what if anything I’m missing out on by just using cash/card for payments, cause not once have I been at checkout and thought to myself “man, I wish I could do this with my phone instead” but people talk about this like it’s almost a dealbreaker that makes it hard for them to seriously consider switching to Graphene or Lineage or whatever.
In a lot of counties banks are becoming mobile first. Want to login in the browser? Authenticate with your mobile app to approve. Don’t have a mobile phone with the requisites of the bank? Well, go to the branch, take a ticket, wait and then tell them what you want to do with your money. It’s not just about paying, banks are moving online authentication to be dependent on Google or Apple, whatever poison you pick.
This seems like same shit different flies. Still dependent on some centralised approval which doesn’t help openness and security. We need alternatives to the duopoly but this ain’t it, chief.
I’ve never encountered what you’re describing. There’s always other ways to authenticate than through a mobile app, at least from my experience, and I think I’ve used about a dozen different banks/credit unions over the past 15 or so years. Last credit union I cut ties with had ZERO MFA for their web portal, except on account creation. Like, no SMS, no email, nothing - just user+pass, and making sure you have the right background picture of the login screen you picked on account generation (like, a duck or a football or whatever). Completely ridiculous in 2025 (when I cancelled my account).
Regarding the OP, I think any new competition in this space right now is good, even if it ends up just being a triopoly vs a duopoly (fat chance with this thing but we can hope).
Ideally though we need an open protocol/standard that can be implemented through any manner of device software.
Some countries are all-in on the digital transition and for a lot of things shops don’t even accept cash anymore. Digital QR code transfers are preferred. Be thankful that the banks that you deal with haven’t gone down this path.
2 factor TOTP exists and is secure enough for corporates to have adopted long time ago. Banks can adopt similar authentication methods but choose not to.
On the OP, not sure what the solution could be. However, going down this path seems flawed.
No offense but it sounds like you’re from the US, where banking is 20 years behind in comparison to Europe.
The other commenter is right, some banks are mandating 2FA using your phone even to log into web banking, so phone authentication is still required.
Also some EU countries have pretty much become cashless although it’s obviously still legal tender. Even some tiny village in the middle of Denmark has card readers.
If this shit is what “ahead” looks like, I’m happy being “behind.”
This “shit” is being pushed by the US, and we Europeans are the ones pushing back on it. Just sayin.
Right there with you. Access to my money relying on a device that needs to be charged is just stupid. I’m stranded somewhere, my phone runs out of battery, suddenly I have zero dollars. No thanks.
I agree, it’s a nice-to-have but it’s far from necessary. I like having the option as a backup in case I forget my wallet, but I’ll live without it
My bank (Monzo) doesn’t even offer an alternative way to interact or sign up except through the smartphone app.
FWIW, Monzo works on Lineage OS with no gapps. I can’t use google pay but I have a card for that.
India primarily uses Phones to pay. And I’m sure there’s a big community there that uses custom ROMs.
I’m sure there was, but I’m not sure there still is.
maybe those who still do that carry around a google infested phone.
It’s the hardware, and it feels like mobile in particular is intentionally designed to not be modular. I suspect that is by design to keep it under control of the big companies.
I agree, with the caveat that it’s very nice to be able to pay with my phone/ watch if/when forget my wallet, rather than having to go back home to get it.
I don’t use the phone that often as a debit /credit bank card but I use it for payments (bills invoices etc.), paying on line, transferring money to people and accounts, and just managing accounts. The phone app is very useful for those functions - especially if the alternative is going into a bank and queuing.
A phone OS that will not work with banking apps is not really a contemporary solution. iOS or Android are the only reliable options at the moment in the US/Europe - Iiuc Open Source Android has to sandbox Google Play for banking apps to work so that’s not viable long-term solution, as Google will only make that more difficult in the future.
Given the issues with the judges at ICC and US payment systems, building an alternative to Google and Apple is a high priority
The phone app is very useful for those functions - especially if the alternative is going into a bank and queuing.
the bank’s web portal should also work for this.
if it refuses to open on your phone, try firefox and enable desktop mode for that tab
Iiuc Open Source Android has to sandbox Google Play for banking apps to work
that’s not necessary but also not enough for it. the bank apps specifically check if you run a google/apple approved, unmodified operating system.
today it is not possible to pay with an open source operating system. somewhat of an exception is grapheneos, but even if you just build it from source for yourself, the bank’s app will refuse operation.
and on top of that, google services are required too if you want to pay with your phone in shops.
so this is not something open source os maintainers can solve. it is a result of google engaging in illegal practices which are not prosecuted.
building an alternative to Google and Apple is a high priority
Technically… afaik most banks in the EU also support current non-android huawei phones, which have their own implementation of the play integrity service to lock you into the factory os. but huaweis are not better, probably worse.
Unfortunately there is a significant security advantage in using Google Pay or Apple Pay which no one has yet mentioned. When you make a payment with chip-and-PIN using your physical card, your real card number is exposed to the merchant. The proprietary wallet services on the other hand use a device-specific token in place of the card number.
In practice, this means that if a retailer is compromised, there’s no usable card data to steal or clone, which removes a large class of fraud that still exists with physical cards.
I prefer to take the risk of a compromised vendor over all the things google will 100% do with my payment data.
All power to you friend. Nevertheless it’s best to be informed, especially when attempting to make a better alternative.
My bank uses an app as 2FA for online credit card payments. Without this app I couldn’t use my cc for online shopping.
Honestly if there was an alternate and functional phone/OS/app store that early adopters who are a little technical can embrace, it would be the #1 platform in under 5 years. People in the know are chomping at the bit to get away from these big monopolzed platforms, and once it gains steam and polish, people will flock to it.
There are already alternate app stores, and alternate OS and phones that are functional and niche. The real issue is that the Android people knows is not open source, AOSP is the thing open sourced, but thats far from what we use on a daily basis as Android, and Google makes sure every time it can to put hurdles between functionality and open source, some of those hurdles can and are being worked on, some others are out of reach for the open source community
I’ve never developed on Android, but would it be hard to port most apps to AOSP at this point if the developer wanted to?
It’d be effortless.
Yeah so I don’t see what the issue is. If they gave me stock android from 8 years ago I would still be happy to use it, and most basic users probably wouldn’t even know the difference. There are very few features released in the past few years that I couldn’t live without. Probably the only notable one I can think of is notification history. Other than that it has been all downhill, like removing the ability to easily record calls, which iphone can do no problem. As it is now I have to use a differnt phoen a a bunch of hacks to get it to work. It’s my device, let me assume the risk. Nanny bullshit.
most apps already work, and it’s been always that way. those that don’t, it’s because they depend on the google services system app (microg helps here). or they require google play integrity to pass which is not something that can be hacked around, because this is its exact purpose: denying to work on open source aosp systems. it is security, but not for you, but against you.
AOSP is Android in barebones so apps “work”, the thing is that most apps need services that are developed by Google on top of AOSP (google maps api, notificacion services, google pay) and that are hard to replace because they need costly infraestructure or years of constant development. On top of that Google is promoting/forcing the use of Google Play Protect so more apps need that layer now
I think it’s cool trying to figure out a way to do this without google, but it still won’t solve the fact that credit card payments aren’t private and are linked to your identity. As always cash is the way to go.
Also if you are still going to have a credit card (I mean fare I have one too) why not just use a physical card rather than paying on your phone?
I agree it would be good to have third party integrity checks to not require Google Services etc. as part of the chain.
In GrapheneOS, many Google Play integrity check pass, but payments still do not work. You are notified when an app uses the integrity API, but probably only because they have spent a bunch of work sandboxing Play Services. This is what you see when you look at those details:
I guess the obvious problem is that so many apps rely on Google Services, such as for payments, opening the store, checking for integrity etc. On stock android, you can’t pick and choose these services separately or use third party ones, unlike using a third party keyboard, for example. Everything is one big proprietary, data guzzling lump.
I don’t think I understand this. I don’t actually want to pay with my phone, so thats a non-problem to me, but when I can access my bank with a browser on any pc in the world, why do they need attestation on a mobile? I dont see why the requirement is inconsistent.
I think it’s rather about NFC-powered (i.e. “tap your phone”) payments. These are automatic, which comes with different security issues.
Seems like a strong argument for dedicated hardware to me. Something card shaped 😉
Sure, but it is way more convenient for many to tap the phone, and when there’s demand, there must be the supply.
After all, making privacy and security convenient is the number 1 issue in the adoption of good practices by regular users.
Why not just use cash? Untraceable, nearly ubiquitous acceptance, are they just too lazy to go to the bank?
A lot of places don’t take cash.
Well luckily that hasn’t been my experience. Only time I ever saw that was at the hight of the pandemic our local computer shop didn’t.
in some countries it’s fallen out of fashion. in others, people are too lazy to bring a slim wallet with themselves and select the bills and coins every time they want to spend
Would be cool, but i doubt any users in the US can benefit from it since google is so dominant.
iPhone is dominant in NA.
PIX neles
This works be fantastic and I might actually switch at that point.
This is a fantastic initiative.
